Download Presentation

Chapter 4 Data Acquisition

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

6. Guide to Computer Forensics and Investigations 6 Proprietary Formats Features offered
Option to compress or not compress image files
Can split an image into smaller segmented files
Can integrate metadata into the image file
Disadvantages
Inability to share an image between different tools
File size limitation for each segmented volume

11. Guide to Computer Forensics and Investigations 11 Determining the Best Acquisition Method (continued) Bit-stream disk-to-image file
Most common method
Can make more than one copy
Copies are bit-for-bit replications of the original drive
ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook
Bit-stream disk-to-disk
When disk-to-image copy is not possible
Consider disk’s geometry configuration
EnCase, SafeBack, SnapCopy

12. Guide to Computer Forensics and Investigations 12 Determining the Best Acquisition Method (continued) Logical acquisition or sparse acquisition
When your time is limited
Logical acquisition captures only specific files of interest to the case
Sparse acquisition also collects fragments of unallocated (deleted) data
For large disks
E-mail PST or OST mail files,
Specific records for large RAID servers
For RAID terabytes, is the best method

13. Guide to Computer Forensics and Investigations 13 Determining the Best Acquisition Method (continued) When making a copy, consider:
Size of the source disk
PKZip, WinZip ?
Lossless compression might be useful
Use digital signatures for verification
When working with large drives, an alternative is using tape backup systems
Super Digital Linear Tape (SLDT)
Digital Audio Tape; Digital Data Storage (DAT/DDS)
Whether you can retain the disk

14. Guide to Computer Forensics and Investigations 14 Contingency Planning for Image Acquisitions Create a duplicate copy of your evidence image file
Make at least two images of digital evidence
Use different tools or techniques
Copy host protected area of a disk drive as well
Consider using a hardware acquisition tool that can access the drive at the BIOS level (XWays)
Be prepared to deal with encrypted drives
Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions

19. Guide to Computer Forensics and Investigations 19 Acquiring Data with a Linux Boot CD (continued) Acquiring data with dd in Linux (continued)
Shortcomings of dd command
Requires more advanced skills than average user
Does not compress data
dd command combined with the split command
Segments output into separate volumes
Acquiring data with dcfldd in Linux
dd command is intended as a data management tool
Not designed for forensics acquisitions

22. Guide to Computer Forensics and Investigations 22 Capturing an Image with ProDiscover Basic Connecting the suspect’s drive to your workstation
Document the chain of evidence for the drive
Remove the drive from the suspect’s computer
Configure the suspect drive’s jumpers as needed
Connect the suspect drive to Firewire write blocker
Create a storage folder on the target drive (F:/Evidence)

23. Capturing an Image with ProDiscover Using ProDiscover’s Proprietary Acquisition Format
Image file will be split into segments of 650MB
Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension)

35. Guide to Computer Forensics and Investigations 35 Linux Validation Methods Validating dd acquired data
You can use md5sum or sha1sum utilities
md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes

36. Validating dcfldd acquired data Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512
hashlog option outputs hash results to a text file that can be stored with the image files
vf (verify file) option compares the image file to the original medium
Dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log

37. Guide to Computer Forensics and Investigations 37 Windows Validation Methods Windows has no built-in hashing algorithm tools for computer forensics
Third-party utilities can be used
Commercial computer forensics programs also have built-in validation features
Each program has its own validation technique
Raw format image files don’t contain metadata
Separate manual validation is recommended for all raw acquisitions

38. Guide to Computer Forensics and Investigations 38 Performing RAID Data Acquisitions Size is the biggest concern
Many RAID systems now have terabytes of data

39. Guide to Computer Forensics and Investigations 39 Understanding RAID Redundant array of independent (formerly “inexpensive”) disks (RAID)
Computer configuration involving two or more disks
Originally developed as a data-redundancy measure
RAID 0
Provides rapid access and increased storage
Lack of redundancy
RAID 1
Designed for data recovery
More expensive than RAID 0

40. Guide to Computer Forensics and Investigations 40 Understanding RAID (continued) RAID 2
Similar to RAID 1
Data is written to a disk on a bit level
Has better data integrity checking than RAID 0
Slower than RAID 0
RAID 3
Uses data stripping and dedicated parity
RAID 4
Data is written in blocks

46. Guide to Computer Forensics and Investigations 46 Acquiring RAID Disks Concerns
How much data storage is needed?
What type of RAID is used?
Do you have the right acquisition tool?
Can the tool read a forensically copied RAID image?
Can the tool read split data saves of each RAID disk?
Older hardware-firmware RAID systems can be a challenge when you’re making an image

51. Guide to Computer Forensics and Investigations 51 Remote Acquisition with ProDiscover (continued) PDServer installation modes
Trusted CD
Preinstallation
Pushing out and running remotely
PDServer can run in a stealth mode
Can change process name to appear as OS function

53. Guide to Computer Forensics and Investigations 53 Remote Acquisition with EnCase Enterprise Remote acquisition features
Remote data acquisition of a computer’s media and RAM data
Integration with intrusion detection system (IDS) tools
Options to create an image of data from one or more systems
Preview of systems
A wide range of file system formats
FAT, NTFS, Ext2/3, Reiser, Solaris, UFS, Palm, Mac HFS/HFS+, ISO9660, UDF, DVD, and more
RAID support for both hardware and software

61. Guide to Computer Forensics and Investigations 61 ILook Investigator IXimager Iximager
Runs from a bootable floppy or CD
Designed to work only with ILook Investigator
Can acquire single drives and RAID drives
Three formats
IDIF - A compressed format
IRBF - A raw format
IEIF - Encrypted format
http://www.ilook-forensics.org

62. Guide to Computer Forensics and Investigations 62 Vogon International SDi32 Creates a raw format image of a drive
Write-blocker is needed when using this tool
Password Cracker POD
Device that removes the password on a drive’s firmware card
http://www.vogon-international.com

66. Guide to Computer Forensics and Investigations 66 Summary (continued) Always validate acquisition
A Linux Live CD, such as Helix, provides many useful tools for computer forensics acquisitions
Preferred Linux acquisition tool is dcfldd (not dd)
Use a physical write-blocker device for acquisitions
To acquire RAID disks, determine the type of RAID
And then which acquisition tool to use